Decade-old espionage malware found targeting government computers

"TeamSpy" used digitally signed TeamViewer remote access tool to spy on victims.

Researchers have unearthed a decade-long espionage operation that used the popular TeamViewer remote-access program and proprietary malware to target high-level political and industrial figures in Eastern Europe.

TeamSpy, as the shadow group has been dubbed, collected encryption keys and documents marked as "secret" from a variety of high-level targets, according to a report published Wednesday by Hungary-based CrySyS Lab. Targets included a Russia-based Embassy for an undisclosed country belonging to both NATO and the European Union, an industrial manufacturer also located in Russia, multiple research and educational organizations in France and Belgium, and an electronics company located in Iran. CrySyS learned of the attacks after Hungary's National Security Authority disclosed intelligence that TeamSpy had hit an unnamed "Hungarian high-profile governmental victim."

Malware used in the attacks indicates that those responsible may have operated for years and may have also targeted figures in a variety of countries throughout the world. Adding intrigue to the discovery, techniques used in the attacks bear a striking resemblance to an online banking fraud ring known as Sheldon, and a separate analysis from researchers at Kaspersky Lab found similarities to the Red October espionage campaign that the Russia-based security firm discovered earlier this year.

"Most likely the same attackers are behind the attacks that span for the last 10 years, as there are clear connections between samples used in different years and campaigns," CrySyS researchers wrote in their report. "Interestingly, the attacks began to gain new momentum in the second half of 2012."

They added: "The attackers surely aim for important targets. This conclusion comes from a number of different facts, including victim IPs, known activities on some targets, traceroute for probably high-profile targets, file names used in information stealing activities, strange paramilitary language of some structures, etc."

The attackers relied on a variety of methods, including the use of a digitally signed version of TeamViewer that has been modified through a technique known as "DLL hijacking" to spy on targets in real-time. Installation of the compromised program also provides attackers with a backdoor to install updates and additional malware. Both the TeamViewer technique and command servers used in the attack harken back to Sheldon. The TeamSpy operation also relies on more traditional malware tools that were custom-built for the purpose of espionage or bank fraud.

According to Kaspersky, the operators infected their victims through a series of "watering hole" attacks that plant malware on websites frequented by the intended victims. When the targets visit the booby-trapped sites, they also become infected. The attackers also injected malware into advertising networks to blanket entire regions. In many cases, much of that attack code used to infect victims was spawned from the Eleonore exploit kit. Domains used to host command and control servers that communicated with infected machines included politnews.org, bannetwork.org, planetanews.org, bulbanews.org, and r2bnetwork.org.

The discovery of TeamSpy is only the latest to reveal an international operation that uses malware to siphon sensitive data from high-profile targets. The most well-known campaign was dubbed Flame. Other surveillance campaigns include Gauss and Duqu, all three of which are believed to have been supported by a well-resourced nation-state. Last year, researchers also uncovered an espionage campaign dubbed Mahdi.

Wait - so to clarify this is not a flaw in TeamViewer but they managed to install a hacked version of TeamViewer on affected machines, right?

It is probably a flaw in TeamViewer, but not in the way you're most likely thinking. DLL hijacking is an attack that involves tricking an app to use a DLL of your own creation instead of the DLL that the app designer actually meant to call. Then you can trick it to load a dll that does pretty much anything you want - like open a trap door. In the past, DLL hijacking was relatively easy to do simply because of a design flaw in the way Windows XP and earlier handled DLLs. SP2 included the SafeDllSearchMode registry key, which turned on a DLL Search mode that largely mitigated this design flaw. Largely. The applications themselves can still call DLLs in a way that makes them susceptible to this attack. Apparently, TeamViewer does just that. The attackers clearly know the name of the DLLs that TeamViewer calls, so they've placed their own DLL of the same name in a location they could trick TeamViewer to look at - either because TeamViewer assumes that a portion of the path can be found in a particular variable that's not actually set, or because TeamViewer's using a relative path to it's DLL, or something similar.

So, they're not actually exploiting the teamviewer binary with a buffer overflow or anything like that. They're bundling a legitimate, signed copy of TeamViewer with a DLL that the know TeamViewer wants. The user downloads the munged bundle, installs it (because the binary passes the installation cert check) and then dumps the illicit DLL where they now TeamViewer will find it before the legitimate DLL that's meant to be called.

It is probably a flaw in TeamViewer, but not in the way you're most likely thinking. DLL hijacking is an attack that involves tricking an app to use a DLL of your own creation instead of the DLL that the app designer actually meant to call...

Ok, got it. Thanks for the info. I guess downloading from the TeamViewer site should be relatively safe if this is indeed the scenario. Lame that those DLL don't get picked up by A/V products - assuming systems in sensitive environments are protected that way.

Creepy. If I was to guess what ordinary software I'd used was potentially malware, I'd say it was TeamViewer. I caught it pulling some unusual background process call outs to the Internet that forced me to uninstall the entire thing. But don't consider that any kind of indictment. It's just creepy.

So, they're not actually exploiting the teamviewer binary with a buffer overflow or anything like that. They're bundling a legitimate, signed copy of TeamViewer with a DLL that the know TeamViewer wants. The user downloads the munged bundle, installs it (because the binary passes the installation cert check) and then dumps the illicit DLL where they now TeamViewer will find it before the legitimate DLL that's meant to be called.

For that to happen, they would have to download the "munged bundle" from a source that's not the original TV location. Who would do that?

So, they're not actually exploiting the teamviewer binary with a buffer overflow or anything like that. They're bundling a legitimate, signed copy of TeamViewer with a DLL that the know TeamViewer wants. The user downloads the munged bundle, installs it (because the binary passes the installation cert check) and then dumps the illicit DLL where they now TeamViewer will find it before the legitimate DLL that's meant to be called.

For that to happen, they would have to download the "munged bundle" from a source that's not the original TV location. Who would do that?

Well, the article specified that the infected machines were hit with a watering hole attack. That hints at two possibilities that seem pretty obvious to me:1. They didn't actually bundle the hijacked DLL with the TeamViewer - they simply new that if you have TeamViewer installed, dropping that DLL in a particular place on your machine would infect you the next time you launched TeamViewer or2. They installed the hijacked TeamViewer bundle by way of the watering hole attack and hoped it was an app you already used and would launch thinking it was the copy you'd installed yourself.

But the shorter answer to your question is tons of people. Folks install software from some of the damnedest places. Wait a second - I think I just experienced a flaw in my sarcasm detector.

Note the press (including ARS) is repeating the FUD about how Teamviewer is available for Windows, Mac OS X, iPhone & iPad iOS, Linux, and Android, thus implying that this exploit compromises all of those systems. However if you read Kaspersky's (and others) write-ups on this exploit it is solidly a Windows ONLY exploit. DLL hijacking can only effect Windows.